Agnitio Security Code Review Tool v2.1 released

I wanted to write a blog post today to let you all know that I’ve released Agnitio v2.1 today. I did plan to release this version a few weeks ago but a combination of life and bugs/last minute feature changes delayed the release, better late than never though!

I’ve made a lot of changes for this release so I wanted to make extra sure that everything worked before I released it. Interestingly Agnitio passed all of its QA tests in the first test run but the Data Migration Tool was a different story! The DMT is used to migrate users existing data into the new Agnitio checklist database. It’s probably not the best way to perform an upgrade and it certainly needs some work but for now it works! Agnitio currently puts the new checklist database into the program files directory alongside the other Agnitio files which can cause a bit of problem because of the default file permissions on the Program Files directory.

The program files directory in Windows 7 has better (the definition of better requires me look at it as a security professional and not as someone writing code!) default permissions/restrictions than previous versions of Windows I believe which causes a problem when using Agnitio or the DMT as a standard user. The user obviously needs to be able to read data from the checklist database and of course write reviews or changes to the database. I tried a few different approaches to rectifying this and I’ve settled on a solution which probably isn’t ideal but it does mean standard users can use Agnitio on Windows 7. The DMT will need to be run as an administrator to migrate the data but after that administrator privileges aren’t needed anymore. You will need to make a few permission changes regardless of the operating system you are using so please make sure you read the Agnitio v2.1 User Guide (included as part of the installation) before you attempt to use the new version or migrate your data.

I’m currently working on a better solution to this with a new contributor so I’d expect to have a nicer solution to this problem when the next version of Agnitio is released!

So what’s new in v2.1? I have listed all of the changes in this release below:

Decompile Android .apk files so you can analyse the source code and AndroidManifest.xml file. This uses tools like JAD so you will need to have Java installed on your machine to decompile the Android .apk files.

C# and Java rules from the OWASP Code Crawler tool imported into the Agnitio database and linked to the relevant checklist questions.

New checklist items for mobile application security code reviews. These checklist items were created to address items in the OWASP top 10 mobile risks project that weren’t covered by existing checklist items.

Application profiles can now be configured as either “Web” or “Mobile”. This will determine which checklist items from the database are used to create the checklist for the application being reviewed.

Create new checklist items. You will be able configure the relevant principle of secure development for the new checklist item as well as deciding whether this is a question for “Web”, “Mobile” or “Both” types of applications.

Modify existing checklist items. This was supposed to be included in v2.0 but a last minute change I made at 7am in a Las Vegas hotel room broke this functionality. You can now modify the text, the principle and type columns for questions in the checklist database.

I made a lot of small changes in addition to the ones above; I’ve listed some of the more obvious ones below:

Fixed a bug on the security code review tab where checklist items with no answers are highlighted in red and never “un-highlighted” (thanks to Steven van der Baan).

Added a language checkbox for Objective-C on the profile creation and view profile tabs.

Checklists are now sorted by principle and not by the question number.

I did have two issues which I couldn’t get fixed but I decided to release v2.1 now because it has already taken longer than I’d planned! The two issues will only affect x64 users and I will make sure they are fixed as part of v2.2:

I have started to plan what will be included in v2.2 but I’ve not started working on it yet. I have a few cool ideas in mind for v2.2 which I think you will all like. I’ve released 5 versions of Agnitio over the past 11 months which has eaten up a lot of my spare time and I don’t really enjoy working on one thing for a long time. I will be taking a couple of weeks away from the project before I start work on v2.2 to rest my poor overworked brain I don’t expect to release v2.2 until sometime after Christmas partly because of the break I’m taking from the project but mainly because of the amount of work that I will need to do to implement the cool changes I want to make!

As always I’d love to hear what you think of the latest version of Agnitio so get in touch via Twitter, email or leave a comment on this blog post.

7 comments >

Hi, I am getting several errors related to some database.. like “unable to retrieve keywords from the database”, etc while using Static Analysis. I directly jumped into this section for analyzing one of my apk file. I even changed the extension to Java etc but without success. Later, used the decompiled one but again with no luck. Is there anything which I missed out. Thanks in advance.

anonymoussays:

July 16, 2012 at 3:26 pm

Adding to my previous query: Language option is not populating any value like “Java”. And when I try to add a profile, the tool displays the following mesg: Unable to insert data into profiles table. Any pointer how to configure the database would be helpful.

Security Ninjasays:

July 17, 2012 at 9:56 am

Hi,

That is a permissions error relating to the directory Agnitio is installed in. Can you check the user manual (part of the install directory) and make the relevant permission changes. If that doesn’t work for you let me know.

SN

Antoniosays:

July 24, 2012 at 12:26 pm

Hello, is it possible to analyze applications for ios? I saw you added the function of objetc c, but can not decompile the application, is another tool to decompile and then review it with this tool?

Security Ninjasays:

July 24, 2012 at 12:32 pm

Hiya,

The short answer is “no” sadly. There are ways to get some information from the file if you have downloaded it from the app store and so on as covered in these Stack Overflow posts:

If you don’t have the source code for the app then I believe it’s (nearly?) impossible to get back to the original source code from the app file. Android and Windows Phone can be decompiled easily but I do remember reading Microsoft are going to change that for the Windows Phone apps.